InvestigationsFakespertsSubscribe to our Sunday Digest
POLITICS

Free Pablo and Fancy Bear: GRU illegal Pavel Rubtsov got a warm welcome home in Moscow by a hacker on the FBI Most Wanted List

In August 2024, the world witnessed an unprecedented prisoner swap between the West and the Kremlin: Russia agreed to release 16 individuals, including political prisoners Vladimir Kara-Murza and Ilya Yashin and U.S. citizens Evan Gershkovich and Paul Whelan in exchange for eight Russians — GRU illegals, hackers, and killers. Among others, the plane to Moscow carried Pavel Rubtsov, a Russian military intelligence agent who had worked in the West posing as “Spanish journalist Pablo González” until Poland arrested him on espionage charges in February 2022. The Insider has identified Rubtsov's GRU curator, Oleg Sotnikov, in the video of Putin welcoming home his spies and assassins after the swap.

Photo: Carlos Luján / Europa Press / ContactoPhoto

“Your Empire Needs You,” declares the Star Wars t-shirt worn by the bald, bearded man arriving at Vnukovo Airport in Moscow on Aug. 1, 2024. Pablo González is how many in the West had come to know him over the years, either from his articles in the Spanish press or from reading about his controversial detention in Poland in 2022 as an alleged Russian spy. González has just been exchanged as part of one of the most significant prisoner swaps between the West and Russia since the Cold War. He smiles and shakes hands with Vladimir Putin. Then, as Putin wanders off to address the scrum of reporters there to witness the homecoming of eight Russian nationals, González can be glimpsed blurrily in the background of Smotrim.ru, a live-streaming Russian news portal, hugging other men in suits and ties.

At left, GRU “illegal” Pablo González, a.k.a. Pavel Rubtsov, hugging his fellow GRU officer Oleg Sotnikov, upon González’s arrival in Moscow following Russia’s prisoner exchange with the West in August 2024

One of these is not a relative or editor. He isn’t a lawyer or human rights monitor or any kind of Russian official you’d expect to see at the anticipated arrival of a recent occupant of a Polish jail cell. His name is Oleg Sotnikov, 52, and he’s on the FBI’s Most Wanted List — sought in connection with various hacking operations targeting, among others, the Organization for the Prohibition of Chemical Weapons (OPCW) and the U.S. Anti-Doping Agency (USADA) and the World Anti-Doping Agency (WADA). Sotnikov is well known to NATO counterintelligence. He’s an officer of the GRU, Russia’s military intelligence service. In October 2018, the U.S. District Court of the Western District of Pennsylvania indicted Sotnikov and six other GRU officers with “stealing private or otherwise sensitive information” to use as part of an “‘influence and disinformation’ campaign designed to undermine the legitimate interests of the victims, further Russian interests, retaliate against Russia's detractors and sway public opinion in Russia’s favor.”

Specifically, Sotnikov offered support to one of the GRU’s cyber operations teams, Unit 26165, in the “close access” hacking of the OPCW headquarters in The Hague. He turned up in the Netherlands with his co-conspirators to breach the chemical weapons watchdog’s WiFi network in April 2018; little did they know they were being trailed by Dutch General Intelligence and Security Services (AIVD) from the moment the team arrived at Schiphol Airport in Amsterdam. Just as they got to work from the parking lot of a Marriott hotel adjacent to the watchdog’s building, the entire team was all rounded up by the AIVD and expelled from the country.

A photograph of Sotnikov taken in the Netherlands and featured as Exhibit A-5 in the U.S. federal indictment

As of June 2013, Moscow’s residential database showed Sotnikov’s “permanent address” as Khoroshevskoye Chausse 76B, which happens to be the main address of GRU Headquarters.

FBI Most Wanted poster for Oleg Sotnikov, a GRU officer accused of helping to hack into the OPCW and anti-doping organizations, including one based in Colorado Springs

For more than a decade, the GRU has conducted extensive cyberoperations aimed at exfiltrating sensitive information from international monitors and waged political campaigns in order to instrumentalize it to Moscow’s advantage. The Kremlin expends enormous energy and resources on obfuscating forensic evidence and denying its culpability in poisoning its enemies — and on covering up for its clients when they do the same. The OPCW, for instance, investigated Syrian chemical weapons attacks perpetrated by Russia’s client, Bashar al-Assad’s regime, and the 2018 Novichok poisoning of Sergei and Yulia Skripal in Salisbury, England, which was carried out by the GRU’s black ops team, known as Unit 29155. The hacking of anti-doping agencies, too, coincided with the 2016 Summer Olympics in Brazil, where, out of 389 athletes competing for Russia, 111 were disqualified because of their use of prohibited steroids and performance enhancing drugs.

“Fancy Bear,” as Unit 26165 has been nicknamed by cybersecurity experts, became notorious in 2018 when a dozen of its members were indicted by Special Counsel Robert Mueller for engaging in “a sustained effort” to hack into the digital correspondence of the Democratic Party and Hillary Clinton’s presidential campaign with the aim of swaying the 2016 U.S. election in favor of Donald Trump.

Sotnikov’s passport photo

What NATO counter-intelligence did not realize, however, was that Sotnikov isn’t just a hacking accomplice. As an investigation by The Insider and its reporting partners discovered, Sotnikov has long served as a logistical support officer for GRU’s 5th Department, Russia’s military intelligence illegals program.

Over the years Sotnikov has been posted overseas under various diplomatic covers, including as the Russian consul in two Latin American countries, Nicaragua and Brazil. He was posted in Rio de Janeiro during the 2016 Olympics and was thus a credentialed officer of the Russian General Consulate when Fancy Bear pulled off one of its known capers: the hacking of USADA and WADA officials’ computer systems via breaches in the WiFi networks they used at hotels and various access points throughout the city, allowing the GRU to access “summaries of athlete test results and prescribed medications,” among other sensitive data.

The Insider identified Sotnikov by running a screengrab from the obscure airport video through a proprietary reverse face-search tool. The search was successful despite the poor quality of Sotnikov’s image — largely because his FBI Most Wanted photos were also of poor resolution, resulting in an unlikely but high-confidence match. Subsequent comparisons of the blurry image from the airport scene to high-quality photos of Sotnikov, using various face-comparison forensic tools, confirmed the match with a confidence exceeding 90%.

Sotnikov was also stationed at the Russian General Consulate in Rio, Brazil, a key location for Russia’s “illegals” recruitment program. Mar. 25, 2014.

Sotnikov’s familiarity with González, whose real name is Pavel Rubtsov, lends further credence to the allegation advanced by Polish authorities and members of the Russian opposition that Pablo González’s public profile as a journalist was actually a cover for his work for the same Russian spy agency.

The Insider, in collaboration with VSquare and the Organized Crime and Corruption Reporting Project, is the first news outlet to confirm Sotnikov’s participation in González’s welcoming committee in the Russian capital last summer.

***

Pablo González, a.k.a. Pavel Rubtsov, was born to a Russian father and Russian-Spanish mother in Moscow in 1982. Following their divorce in 1991, the mother and Pavel relocated to Spain, where the latter officially became Pablo González Yagüe while retaining his Russian passport. He went on to pursue studies in Slavic languages and became a reporter.

After working for several Spanish outlets, in 2018, González ran a website called Eulixe with his colleague Juan Teixeira. He’d frequently report from war zones where Russia had a direct interest, including those in Syria and Ukraine. As an investigation by VSquare found, the Eulixe website was created following González’s trip to Moscow and St. Petersburg. According to Russian investigative outlet Agentstvo, he made those trips alongside another GRU officer, Sergei Turbin, on June 16, 2017. Their tickets were purchased in a single credit card transaction that listed shared contact data for the two passengers.

The Insider identified Turbin as belonging to the Fifth Department, which runs Russian military intelligence’s “illegals” program — spies working abroad outside of diplomatic cover. Turbin also phoned Andrey Ilchenko, the head of the Fifth Department, and a top-ranking GRU general who supervised Bonanza Media, a disinformation project run by the service aimed at discrediting forensic investigative work implicating Russian military and intelligence officers in the downing of MH17. González attended a Bonanza Media conference in the Netherlands in October 2019.

Moreover, González destroyed his electronic devices on the orders of his handlers following a series of exposes in 2018 by The Insider and its investigative partner Bellingcat, which unmasked various GRU operations in Europe — including several involving Sotnikov and Fancy Bear. Further evidence showed that while he and his father were not registered to any suspicious addresses in Moscow, González’s stepmother was: she lives adjacent to GRU headquarters, in a building where a number of intelligence officers reside.

Relying on documents related to his case — along with Spanish and foreign intelligence sources — Spanish newspaper El Mundo reported in October 2024 that González had been employed by the GRU since as early as April 2016. The documents described him as “a journalist and political scientist by profession, married with three children, who covered current affairs throughout the former Soviet Union, with a monthly income of between €1,500 ($1,645) and €2,000 ($2,194), and collaborated with various news outlets.”

He certainly got around for a family man living on such a modest income.

González’s main effort was apparently befriending and spying on Russian emigres and opposition figures in the West. Agentstvo reported that González grew exceptionally close to Zhanna Nemtsova, the daughter of murdered Russian dissident and former deputy prime minister Boris Nemtsov. Polish intelligence claimed he detailed reports about her activities as the head of the Bonn-based Nemtsov Foundation and even stored Nemtsova’s letters to her deceased father on his computer. Nemtsova has aided Polish authorities in their investigation into González.

He also met with two other victims of the Kremlin.

González spied on Alexei Navalny and recorded details of the now-murdered Russian opposition leader’s travels in Europe, including “the addresses of clinics [Navalny visited] in Barcelona and Lausanne,” according to El Mundo. González met Navalny at least twice — including in Spain in June 2017, when Navalny traveled to Barcelona to undergo eye surgery for an injury sustained from an attack with a green chemical. In September 2020, a month after Navalny narrowly survived the Russian security service’s attempt to kill him with the Novichok nerve agent, González tried to sow skepticism about Russia’s involvement in the operation by posting a selfie he had taken with the Russian opposition figure during their 2017 meeting. Moscow, González suggested on social media, couldn’t be responsible because it frequently arranged for Navalny to leave Russia for medical treatment.

In 2017, González also interviewed Vladimir Kara-Murza, who was similarly poisoned by Russia’s FSB. In 2016, González participated in a public event with Ilya Yashin, another opposition figure. Documents obtained by The Insider suggest Navalny was poisoned a final time in his Siberian prison cell in February 2024, three years after he was arrested at Moscow’s Sheremetyevo airport upon returning from Germany, where he’d been recuperating from the August 2020 assassination attempt. Navalny died just as German Chancellor Olaf Scholz was negotiating with the Kremlin for his release in exactly the sort of prisoner swap that ultimately freed González.

Kara-Murza and Yashin were both jailed in Russia as political prisoners in 2022. They were traded as part of the swap that freed González.


The Poles found documents in González’s possession showing that, between 2016 and 2021, he fed his GRU handlers not just detailed biographical information about recognizable figures in the Russian diaspora, but also general political intelligence related to countries the Kremlin has long tried to prevent from drifting into a pro-Western alignment. During a trip to Georgia, he reported about various post-Soviet countries’ Euro-Atlantic integration processes and “NATO members and aspiring members’ attitudes towards Russia.”

By 2019, González was living in Warsaw and in a relationship with Magdalena Ch., a Polish journalist who introduced him to the Polish media and political establishments. He wrote and collaborated with several European and U.S. media outlets, including Deutsche Welle and Voice of America. The Guardian’s Shaun Walker, who personally knew González from their participation in a Wales-based training course for conflict journalists, recently wrote that González frequently made trips back to Spain to visit his wife and children. He also went on several reporting jaunts abroad, including to Ukraine. On Feb. 2, 2022 — mere weeks prior to Russia’s full-scale invasion — González posted two selfies to Twitter from the country. One was taken in a Kyiv-controlled area of the Donetsk region, in the east; the other was from inside the Pivdenmash weapons factory in Dnipro, central Ukraine. The Pivdenmash facility was struck last week by Russia’s “Oreshnik” intermediate-range ballistic missile, which is capable of carrying a nuclear warhead. This “test launch” was clearly intended to telegraph Russia’s strategic capability in response to the recent decision by the Biden administration to allow Ukraine to fire Western-supplied missiles at targets inside Russian territory.

González posted this selfie inside the Pivdenmash weapons factory in Dnipro on Feb. 2, 2022, weeks before Russia’s invasion. Russia struck the factory with its “Oreshnik” ballistic missile on Nov. 21, 2024

González did not raise suspicions in his Polish circles, despite the fact that his writings and articles gave a pro-Russian slant to current events. Nor did he hide his heritage; rather, he made much of the fact that his Russian grandfather had fought in the Spanish Civil War — the first knot in what has since become a strong filial tie to the Iberian Peninsula. While González’s Spanish friends knew of his ethnic background and regular travel to Moscow, he maintained with his Russian opposition contacts that he hadn’t been to the motherland in years. Yet he filed dispatches for Russian outlets from Moscow.

By early 2022, “the Spanish services already knew about his activities; the British MI6 and the Polish [Internal Security Agency] did, too,” VSquare uncovered. Before Russia’s attack on Kyiv, González was detained and interrogated for hours by Ukraine’s domestic security organ, the SBU, on suspicion of being a Russian spy.

Following the incident, González learned that Spanish intelligence services were also interested in his background. He promptly returned to Spain. When Russia invaded Ukraine in February 2022, González quickly traveled to Przemyśl, a Polish town bordering the besieged country. It was there that he was taken into custody. González was charged with espionage and remained in solitary confinement for the first couple of months of his two-year stint in pretrial detention.

Magdalena Ch. was charged with being an accessory to espionage. However, she has resumed her journalistic career and now avoids discussing the allegations against her.

Richard Moore, the head of Britain’s MI6, said during the Aspen Security Forum in 2022 that González was indeed an illegal, who was using journalism as cover while “trying to go into Ukraine to be part of their destabilizing efforts there.”

Many of González’s friends and colleagues found that hard to believe.

Without calling his detention arbitrary, Reporters Without Borders urged Polish authorities to release Gonzales as he awaits his trial while other free press activists mounted a public pressure campaign, which circulated on social media under the hashtag #FreePablo. Central to the cause was Warsaw’s sluggish due process and the lack of publicized evidence. Although Gonzalez told his Russian friends he had long been estranged from Oihana Goiriena, his Spanish wife, she spearheaded her husband’s defense. Prominent left-wing lawyer Gonzalo Boye, who has a history of representing Moscow-connected Westerners in trouble, also played a prominent role. One of Boye’s clients was the Catalan separatist leader Carles Puigdemont, who was offered money and military support from a Russian diplomat in Barcelona on the eve of the Catalonian independence referendum in 2017. Another Boye client was former NSA leaker Edward Snowden, who now lives in Moscow as a Russian citizen.

#FreePablo suffered a slight embarrassment on August 1 of this year when González was featured in the U.S.-orchestrated prisoner swap with the Kremlin. Sixteen political prisoners in Russia, including Wall Street Journal reporter Evan Gershkovich, U.S. businessman Paul Whelan, and Kara-Murza and Yashin, were exchanged for eight Russians — all of them identified as spies, hackers, or killers. Artem Viktorovich Dultsev and Anna Valeryevna Dultseva, a spousal duo of illegals run by the SVR, Russia’s foreign intelligence service, were repatriated from Slovenia, along with their two children, who up until that point hadn’t even known that they or their supposedly Argentinian parents were Russian. (Putin greeted the kids as they disembarked from the plane at Vnukovo with a smiling “Buenas noches.”) Another Russian traded back to Moscow was Vadim Krasikov, an FSB hitman who was convicted and given a life sentence in Germany in 2021 for fatally shooting the former Chechen military commander and Georgian intelligence agent, Zelimkhan Khangoshvili, in broad daylight in Berlin’s Tiergarten Park. Putin wanted Krasikov back most of all and entertained relinquishing his archnemesis, Navalny, to get him. That was before Navalny was killed in a Russian prison.

González arrived in Moscow on the same flight as Krasikov and SVR illegals. Leaving aside the Kremlin’s indifference to the plight of bona fide journalists, Russian or otherwise, González’s inclusion in a trade featuring spooks and assassins did nothing to stop the European Federation of Journalists from celebrating his release and morally equating him with Gershkovich, a wrongfully imprisoned Wall Street Journal correspondent, and Kara-Murza, the dissident González spied on.

Fancy Bear couldn’t have asked for a happier outcome.

With additional reporting by Anna Gielewska